Review of the United States Marshals Service's Prisoner Tracking System

Report No. 04-29
August 2004
Office of the Inspector General

Appendix 12

U.S. Department of Justice

Unite States Marshals Service

Office of the Director

Washington, DC 20530- 1000

June 8, 2004

MEMORANDUM TO:

Guy K. Zimmerman
Assistant Inspector General
for Audit

FROM:

Benigno G. Reyna (original signed) Director

SUBJECT:

Response to Draft Audit Report - Review of the United States Marshals Service's Prisoner Tracking System

Thank you for the opportunity to comment on the draft audit report on your Review of the United States Marshals Service's Prisoner Tracking System (PTS). We have reviewed the recommendations contained in the report, and our comments are attached.

For purposes of accuracy, please note that Page 1 of the report includes dollar figures ascribed to PTS, with Footnote 7 reporting these figures to be derived from budget requests submitted to OMB and JMD. These figures are not consistent with what USMS has submitted through the budget process. We are at OIG's disposal to discuss the figures reported and provide the information we believe to be accurate.

Should you have any questions or concerns regarding this response, please contact Isabel Howell, Audit Liaison, at 202-307-9744.

Attachment

cc:

Stacia Hylton
Assistant Director
Prisoner Services Division, USMS

Diane Litman
Acting Chief Information Officer

Michael Pearson
Assistant Director
Executive Services Division, USMS

Vickie L. Sloan
DOJ Audit Liaison

USMS Response to Draft Audit Report on the
Review of United States Marshals Service's
Prisoner Tracking System

Recommendation 1:

Appoint a security manager responsible for the PTS application and ensure the appointment is documented.

Develop a training program to ensure that PTS users receive specialized training before being granted access to the application.

Response: (Agree.) The future Justice Detainee Information System (JDIS), a merging of PTS with other USMS systems, will include a training module designed to teach a new user the application before he/she begins actually utilizing the application.

Recommendation 3:

Ensure that individuals performing system administrator duties are properly trained in their responsibilities.

Response: (Additional Information Requested.) The report states that "some system administrators were unfamiliar with their hardware and software environment and lacked specific knowledge.,.". Accordingly, we will work with the OIG to identify which system administrators lacked the adequate knowledge and expertise. During the exit interview, the OIG stated their finding was based on the auditors speaking to Administrative Officers and/or personnel with collateral IT duties in the Eastern District of Virginia, not to ITS system administrators, who do have adequate training and expertise. If this was the only instance then we will ask that the finding he deleted from the audit report or at a minimum correct the report to reflect the above.

Recommendation 4:

Ensure that access authorizations for the PTS are reviewed and that USMS Headquarters update its authorized PTS users list in a timely manner to incorporate changes from the District Offices.

Response: (Agree in Part.) There is no known DOJ or federal security requirement that states that both local offices and Headquarters must maintain user lists. However, the USMS recognizes the need for establishing internal controls to ensure the integrity of authorized access for PTS. Therefore, the OSMS will ensure that our internal audits conducted by USMS Program Review include a review of the districts' lists for accuracy.

Recommendation 5:

Ensure that existing measures, such as door locks, are used to provide protection against unauthorized access to sensitive areas.

Response: (Additional Information Requested.) The audit report states, "physical access controls were adequately enforced at seven of the eight sites visited." It would appear this situation is an aberration versus a systemic problem that justifies categorization as a vulnerability in the report. During the exit interview the USMS requested the site where the locks were not engaged, but to date this information has not been received from the OIG. The USMS would require the location be provided in order to take corrective measures.

Recommendation 6:

Ensure PTS users are informed of the policies and procedures for requesting changes to the application.

Response: (Disagree.) The OIG states that, "PTS application end-users were either unfamiliar with or unaware of the process for requesting changes to the application." As acknowledged in the report the USMS does have a Systems Development Life Cycle (SDLC) process in place that contains system change request instructions. The SDLC policy is published on the USMS Intranet (making it available to all USMS information technology users). USMS personnel were informed of the new procedures by e-mail at the time of its issuance and provided specialized training. Cumulatively, these measures seem reasonable and adequate to ensure end-users are aware of the necessary process. Moreover, because there is nothing in the audit report text to substantiate that the potential vulnerability noted in the last paragraph of page 12 exists at USMS, we ask that consideration be given to excluding this item as a noted vulnerability.

Recommendation 7:

Remove outdated version of the PTS's application programming software and database management system from the production environment and replace with current versions that are supported by the vendor.

Response: (Agree.) The USMS concurs with the OIG finding on pages iv and 13-14 of the report. The USMS has already taken steps through the development of JDIS to address this problem.

Recommendation 8:

Ensure policies and procedures for segregating duties are developed and enforced to provide assurance that district functions are performed by different individuals and that no individual has complete control over the PTS's processing functions.

Response: (Agree in Pan, Additional Information Requested.) To the extent feasible with existing IT staffing resources, the USMS has segregated duties to minimize functional incompatibility. On April 30, 2004, the USMS Chief of IT Security issued memoranda designating specified individuals as Information Systems Security Officers (including for PTS) and delineated their duties. The memorandum is consistent with DOJ policy requirements and should resolve the noted vulnerability.

With regard to the lack of formal policies and procedures for the record creation process. as noted in the last two paragraphs on page 16 of the audit report, we have asked for clarification from the auditors, The formal policy and procedures are outlined in the P15 Users Manual and the \Veb Based Policy Directive 9.2 (Attachment B).

Recommendation 9:

Ensure that:

a)

Employees involved in emergency response procedures are identified and trained in their emergency roles and responsibilities; and

b)

Emergency contact lists are maintained on-site.

Response:

a)

(Disagree, Additional Information Required.) ITS Regional System Administrators have been briefed by USMS IT Headquarters management, are fully aware of required actions and responsibilities in the event Man emergency situation, and will work with local System Administrators to take appropriate actions.

It would be difficult for the USMS to comment further or address if any further corrective actions are necessary without the OIG identifying what locations or system administrators lack sufficient training to support the restoration of the application and its data files. Our concern has been previously identified in our response to recommendation 3, that the OIG's findings may have been based on the auditors speaking to Administrative Officers and/or personnel with collateral IT duties, not to ITS system administrators who do have adequate training and expertise. However, the USMS will continue to periodically test the IT emergency response procedures, as it is currently doing as part of an incident response exercise being undertaken in collaboration with DOJ.

b)

With regard to the findings and recommendations on pages v and 17-21, the USMS has published its contingency plans (including PTS) on the USMS Intranet, so districts do have ready access to lists with emergency points of contact and to the emergency procedures to be followed. The PTS contingency plan, which will he tested annually in accordance with DOJ/IT security policy, may be found at:
http://156.9.252.31/it/security/resources/CP/FMS%20Contigency%20Plan_2003.pdf

Response: (Additional Information Requested.) As stated in the audit report there is established USMS IT policy that requires rotation and off-site storage of backup tapes. The USMS would request that the OIG provides details as to the specific sites where backup tapes are not being periodically rotated in order to take corrective action. In addition, ITS will require this be reinforced by USMS Program Review team when they are conducting on site audits of the district offices.

Recommendation 11:

Perform annual testing of the PTS contingency plan as required by the Department.

Response: (Agree.)

The PTS contingency plan will be tested annually in accordance with DOJ IT security policy.

Recommendation 12:

Develop policies and procedures to:

a)

establish key source document requirements, and

b)

standardize the record creation process throughout the USMS for the PTS.

Response: (Agree in Part).

a)

The USMS believes that the policy and procedures for establishing key source document requirements are already in place. The USMS agrees that an internal review should be formalized to ensure that current policies are being adhered to. Therefore, the USMS agrees to direct district management to review and check that source documents are being used correctly in the creation of a prisoner's record in PTS. The USMS agrees to establish a requirement that, as part of Program Review's internal audit, key source documents are used accurately when creating or updating a prisoner's PTS record. The audit will include such things as a review of the prisoner's file as compared to the reports of the USM-129/312 generated by PTS.

b)

(Disagree.) The record creation process is standardized throughout the USMS in the policies and procedures promulgated in the PTS User's Manual and associated policy directives.

Recommendation 13:

Implement a control, such as requiring the supervisory authorization of data, to ensure that before information is entered into the system, transactions are supported by properly authorized source documents.

Response: (Agree in Part.) The recommendation calls for a supervisor to sign off on a handwritten USM-129/312. In addition, the OIG also suggests that supervisors oversee data entry by checking each entry against the printed version of the USM-l29/3 12 and checking each transaction against a source document. In our view, unless a prisoner is re-interviewed by the supervisor, there would be little that could be achieved on verification of information, the district can ensure data fields are completed when applicable. Therefore, without creating layers of redundant work, the USMS will notify district managers to perform a periodic spot check of PTS transactions to ensure integrity of information, limited resources will preclude implementation of supervisory verification to the extent OIG suggests.

Recommendation 14:

Maintain and review audit trails for the PTS application as required by the Department.

Response: (Agree in Part.) The Authorization Controls vulnerability (2nd checked item vulnerability) noted on page vi is inconsistent with the text supporting it on pages vii and 27 of the audit report. It would appear that the text supports the noted Completeness Controls vulnerability, but should be eliminated as a vulnerability under Authorization Controls. It should also be noted that while the USMS does agree that adequate audit logs do not currently exist on the PTS system, this is due to the age of the system software (as addressed previously in our response to Recommendation 7), not because "USMS management does not require that audit logs be maintained" (as stated on page vii of the audit report). The JDIS initiative underway will rectify the audit log problem.

Recommendation 15:

Ensure that the PTS application is modified to perform automatic global database searches of all its district offices' databases to prevent the assignment of more than one USMS number to the same prisoner.

Response: (Agree.) Through JDIS, global searches will be possible, and enhanced reporting capability will be provided to assist districts/PSD in the identification of erroneous data.

Recommendation 16:

Ensure erroneous data is collected and reported back to USMS management for investigation and Correction.

Response: (Agree.) PSD already performs periodic spot cheeks of records via reports that are written for jail utilization and population projections. PSD is currently in the process of performing a "records clean-up" in anticipation of the release of a new version of PTS.

Response: (Disagree.) The USMS position on this recommendation is that there is no "unauthorized" employee. All USMS employees a background investigation before beginning employment, and receive the appropriate clearance level for this type of information. In addition, all USMS employees will undergo computer security training. Unfortunately, networked printers are a requirement due to limited resources.

Recommendation 18:

Ensure that each installation of the application protects against simultaneous updates of the same record by more than one end-user.

Response: (Additional Information Requested.) USMS/ITS was unable to replicate the OIG-described situation of concurrent updates of the same PTS record. We ask that OIG provide backup details, so that we can respond to this finding/recommendation.

Response: (Agree.) Through policy revisions and memoranda, districts will be specifically instructed as to what information should be contained in the prisoner folder. (Also see our response to Recommendation 12 a).

Recommendation 20:

Ensure that data integrity assurances and quality control measures are developed and implemented to:

a)

require the periodic spot-checking and validation of output from the P15; and

b)

confirm that the processing of information is Correct.

Response. (Agree.) Please refer to our responses to Recommendations 13, 16, and 19, as this recommendation is closely related. We will remind the district offices to keep clean and accurate prisoner folders.

OIG Note: Additional attachments to the consolidated response were too voluminous to incorporate into this report. The attachments may be obtained by contacting the United States Marshals Service.